richard dorough, ence, c-ciso, cipp, cgeit, cisa...richard dorough 1 richard dorough, ence, c-ciso,...
Post on 06-Apr-2020
11 Views
Preview:
TRANSCRIPT
Richard Dorough
1
Richard Dorough, EnCE, C-CISO, CIPP, CGEIT, CISAManaging Director, Forensic Technology SolutionsFort Worth, TX
Mr. Dorough re- joined PricewaterhouseCoopers in 2012 and has over 19 yearsexperience in IT Security, IT Forensics, IT Audit, and IT Governance. Areas of focusinclude digital threat assessments, Cyber incident identification and response,electronic investigations and IT Security organization assessment and development.
Prior to returning to PwC, Mr. Dorough was the Global Chief Information SecurityOfficer for Textron. As Global Chief Information Security Officer, Mr. Dorough wasresponsible for developing, maintaining and assuring continuous improvement ofTextron’s Information Technology Security strategy, programs, policies andprocesses. This included leadership of the Information Technology Risk Management(ITRM) Council which is a team of Security leaders from across Textron’s BusinessUnits and COEs. Mr. Dorough was also responsible for IT Privacy governance,software asset management, disaster recovery and led the IT portion of the electronicdiscovery (eDiscovery) program for Textron.
Mr. Dorough has a Bachelor of Science in Computer Science from the University ofTexas at Tyler. He is a certified DFSS Green Belt and has additional certifications inIT, IT Forensics, IT Data Privacy, eDiscovery, IT Audit, and IT Security. He isrecognized as an industry SME in the area of IT, IT Security, eDiscovery andForensics and frequently speaks at security related events, functions and conferencesand sits on several security related boards and governing bodies. CIO Talk Radio,CXO Magazine, CSO perspectives, CISO Executive Summit to name a few.
Matthew Wilson
2
Matthew WilsonDirector, IT Risk, Security and PrivacyDallas, TX
Matt is a Dallas based PwC Risk Assurance Director with 10 years of experiencespecializing in IT, Risk and Security. Matt has held a number of internal and externalaudit leadership positions across many industries. Matt has been responsible for riskassessment, audit plan development and execution, leading business process andcompliance reviews, ERP system assessments, system implementation assurancereviews, SSAE16 reporting, and other internal and external audit engagements. Inthis capacity Matt has developed significant experience with IT risk assessment,system implementation assurance and information security.
Ashley Shugart
3
Ashley ShugartManager, IT Risk, Security and PrivacyDallas, TX
Ashley Shugart is a Security & Privacy Services Manager specializing in privacy, dataprotection and information security. His privacy service delivery experience rangesfrom basic policy reviews, training/awareness development, benchmark analysis,privacy impact assessments and developing and implementing national and globalprivacy programs. Ashley's primary focus revolves around leading practices with anemphasis on program development, regulatory compliance, incident responsemanagement, and operational implementation. He also has extensive knowledge ofprivacy frameworks (e.g., Generally Accepted Privacy Principles) and the ever-evolving legal, regulatory and compliance landscape.
Ashley also advises clients on security best practices and requirements in order tosafeguard corporate assets, including confidential data, intellectual property, andsensitive data such as credit card and health related information. He has a broadunderstanding of technology, its role in the enterprise and the tools, techniques andprocesses required to mitigate technology risks. Ashley has performed a variety ofsecurity related services including program strategy and policy development, ITgovernance, incident response and handling, baseline assessment and benchmarkingreviews, as well as experience with HIPAA, NIST, COBIT, and ISO27002.
In today's ever-changing glossary of terminology in this area, Ashley has directexperience in areas of privacy compliance, data protection, IT security, dataclassification, privacy strategy, privacy program management.
Cybersecurity: Recent Data Breachesand the Evolving Role of Internal Audit
www.pwc.com/cybersecurity
Presented to the Association ofGovernment AccountantsDallas Chapter
October 16, 2014
PwC
• The US government notifies 3,000
companies that they were were
attacked and charges nation-backed
hackers with economic espionage.
• Compromises of retailers culminate
in a recent breach of 56 million
credit cards.
• Heartbleed defect results in the loss
of 4.5 million healthcare records.
• Powerful malware infects
hundreds of energy companies
worldwide.
• More than half of global securities
exchanges are hacked.
• Regulators around the world are
beginning to more proactively address
cyber risks.
Recent statistics - today, security compromisesare a persistent—and globally pervasive—businessrisk
2Source: PwC’s The Global State of Information Security Survey 2015
PwC
The number of security incidents continues
to soar
The total number of security incidents
detected by survey respondents climbed
to 42.8 million this year, an increase
of 48% over 2013.
It’s the equivalent of 117,339incoming attacks per day, every day.
And that’s just the compromises that
were discovered.
42.8 million
3Source: PwC’s The Global State of Information Security Survey 2015
PwC
A steady 66% year-over-year growth since 2009
Taking a longer view, our survey data shows
that the compound annual growth rate
(CAGR) of detected security incidents has
increased 66% year over year since 2009.
4Source: PwC’s The Global State of Information Security Survey 2015
PwC
Primary Failure points
#4 Underestimating Technology
# 3 Underestimating Data
# 2 Senior Management Commitment
# 1 Maturity and Execution of Company ITSecurity Tools and Capabilities
5
PwC
Profile of threat actors
Nation State
Insiders
OrganizedCrime
Hacktivists
• Economic, political,and/or military advantage
• Immediate financial gain• Collect information for future
financial gains
• Personal advantage,monetary gain
• Professional revenge• Patriotism
• Influence political and /orsocial change
• Pressure business to changetheir practices
MotivesAdversary
• Trade secrets• Sensitive business
information• Emerging technologies• Critical infrastructure
• Financial / Payment Systems• Personally Identifiable
Information• Payment Card Information• Protected Health Information
• Sales, deals, market strategies• Corporate secrets, IP, R&D• Business operations• Personnel information
• Corporate secrets• Sensitive business information• Information related to key
executives, employees,customers & business partners
Targets
• Loss of competitiveadvantage
• Disruption to criticalinfrastructure
• Costly regulatory inquiriesand penalties
• Consumer and shareholderlawsuits
• Loss of consumer confidence
• Trade secret disclosure• Operational disruption• Brand and reputation• National security impact
• Disruption of businessactivities
• Brand and reputation• Loss of consumer confidence
Impact
6
PwC
Anatomy of a cyber attack
Recon Weaponize Deliver Exploit Install C2 Actions
Target anorganization orindustry
• Browsewebsites
• Social Media• Pre social
engineering• External scans
Craftmaliciouspayload
• Trojanizeddocs
• Packedexecutables
• Obfuscatedshell code
Payload sent totarget
• SQL injection• Spear phishing
Compromisesystem
• Execution ofpayload
• Critical phaseof the attack.
Installation ofmalware /tools postexploitation
• Install rootkits• Password
crackers• Keyloggers• Hacking tools
Command andcontrol
• Leverageexploit
• Accessbackdoors
• Reverse shell• Lateral
movement• Maintain
persistence
Ultimate goalsachieved
• Exfiltrate data• Launch other
attacks
7
PwC
Real-Time Monitoring of the Cyber Kill Chain
Phase Detect Deny Disrupt Degrade Deceive
Reconnaissance NIDS,Web analytics
Firewall ACL
Weaponize NIDS, In-line AV NIPS
Delivery In-line AV,User Awareness
Proxy filter In-line AV Queuing
Exploitation HIDS Patch DEP
Installation HIDS Whitelist AV
C2 NIDS, In-line AV Firewall ACL NIPS Tarpit DNS redirect
Actions HIDS, DLP DLP Quality ofService
Honeypot
8
PwC
Evolving business risks……impacting brand, competitive advantage, and shareholder value
Advancements in and evolving use oftechnology – adoption of cloud-enabledservices; Internet of Things (“IoT”) securityimplications; BYOD usage
Value chain collaboration andinformation sharing – persistent ‘thirdparty’ integration; tiered partner accessrequirements; usage and storage of criticalassets throughout ecosystem
Operational fragility – Real-timeoperations; product manufacturing; servicedelivery; customer experience
Business objectives and initiatives –M&A transactions; emerging marketexpansion; sensitive activities of interest toadversaries
Historical headlines haveprimarily been driven bycompliance anddisclosure requirements
Cybersecurity must beviewed as a strategicbusiness imperative inorder to protect brand,competitive advantage,and shareholder value
Unmanagedrisks with
potential long-term, strategicimplications
However, the realimpact is often notrecognized, appreciated,or reported
Highlights of activities impacting risk:
9
PwC
Enterprise risks associated with cybercrime
Investigation costs
Legal costs
Brand damage
State and federal regulatory actions
Third-party and class action lawsuits
Business partner lawsuits/indemnification
10
PwC
Why organizations have not kept pace
Years of underinvestment in certain areas has left organizations unable toadequately adapt and respond to dynamic cyber risks.
Product & ServiceSecurity
PhysicalSecurity
OperationalTechnology
Security
Public/PrivateInformation
Sharing
ThreatModeling
& ScenarioPlanning
TechnologyAdoption andEnablement
Ecosystem &Supply Chain
Security
GlobalSecurity
Operations
BreachInvestigationand Response
Notificationand
Disclosure
Privileged AccessManagement
SecurityTechnology
Rationalization
Patch &ConfigurationManagement
consecteturadipiscing elit
InsiderThreat
UserAdministration
TechnologyDebt
Management
Secure Mobileand CloudComputing
Security Strategy and Roadmap
Board, Audit Committee, and Executive Leadership Engagement
Business Alignment and Enablement
Process andTechnology
Fundamentals
ThreatIntelligence
Incidentand Crisis
Management
Ris
ka
nd
Imp
ac
tE
va
lua
tio
nR
eso
ur
ce
Pr
ior
itiza
tion
Security Program, Functions, Resources and Capabilities
ComplianceRemediation
Security Cultureand Mindset
Monitoringand Detection
Critical AssetIdentification and
Protection
11
PwC Prevent Detect Respond
Hu
ma
n/
Ex
tern
al
Ne
two
rk
Op
era
tin
gS
yste
mD
ata
/D
ata
ba
seA
pp
lica
tio
n
Threat Intelligence
SecurityInfo &EventMgmt
Firewalls IPS/IDS
Encryption
FileIntegrity
DBFirewall
Antivirus /Endpoint
MalwareAnalysis
Forensic Tools
White listing
MemoryAnalysis
IdentityMgmt
SpamFilter
DLP / InformationProtection
Malware Appliance
Live MemoryMonitor
Resilient Cyber Security
Functional Security Capabilities
Network Analysis
NAC
Anti-phishing
Traditional Security
12
PwC
Managing the risks
Know the Who, What, Where of your sensitive data
Ignoring compliance is not an option
Review internal policies and procedures
Update privacy policy
Make your plan bigger than technology
Review existing insurance coverage
Monitor and audit
Establish call-back procedures to help defend against social engineering
Consider using encryption
Control or limit access to payment and other sensitive systems
13
PwC
Transformation Journey
Log IgnoranceLog Collection and
Review
Security Incident andEvent Management
CapableActionable Threat
Intelligence
Increased Threat Intelligence and Threat Visibility
• No log collection andreview process
• No documentedcompliance processand policies
• Ad hoc log collectionprocess
• Limited access & activitylogging
• Logs are reviewed aspart of incident response
• Real-time Log Analysis
• Real-time Alerting
• SIEM tools areconfigured based onlimited use cases
• Enterprise SecurityInformationManagement
• Multi dimensionalsecurity analytics
• ContinuousImprovement inprocesses & architecture
• Business risk awaremonitoring
• Focus on risk avoidance
1
StandardizedLogging and
Monitoring forCompliance
3
2
4
• Log collection and logmanagement is in place
• Review log reportsperiodically
• Delayed Alerting
• SIEM / Logmanagement is focusedonly for compliance
5
14
PwC
Responding to a breach
Maintain an incident-response plan and team
• Identify team members and responsibilities• Outline breach response measures• Involve outside professionals (legal, forensic, public relations)
Consult with legal counsel
• Guide breach response• Ensure compliance• Preserve applicable privileges
Preserve digital evidence
• Do not alter compromised systems• Do not turn compromised machine off; isolate from network• Preserve logs and log all actions taken
15
PwC
Responding to a breach
Maintain network diagrams and Scan to detect rogues
• Provides quick, clear picture of environment
Establish vendor and law enforcement relationships
Be accurate and be fast
• Prepare to implement a communications plan
• Communicate at the earliest appropriate opportunity• Commit to updating as more facts become available
Containment
• Prevent further compromise
Remediation
• Patch vulnerabilities (ALL vulnerabilities and ALL devices connected to the net)
16
PwC
Given all this, how should InternalAudit (IA) respond to rapidlyevolving risks and threats?
17
PwC
Addressing the board level discussion.
Do we understand our risk?
Do we know the maturity of our capabilities?
What are we trying to achieve,and how do we measure?
18
PwC
Do we understand our risk?
What are we trying to protect?
Evaluating the likelihood and impact.
Understanding IT Risk Management in the context ofEnterprise Risk Management.
Communicate strategy of the program concisely to the board.
What are our most critical assets?
What are our legal, regulatory and compliance obligations?
Summarize Risk Simply Value
19
PwC
Do we know our capabilities?
Security Maturity
Frameworks
Tools, Tools, Tools
Current and
1. Profile the Program2. Conduct Industry Benchmark3. Score Program maturity
PwC’s ATLAS, NIST CSF, C2M2, FISMA, 800-53, etc.
Detail and process testing – both are needed.
Investment in tools does not necessarily mean a capabilityhas been developed.
Where are we?
Where do we want to be?
Assessments
And Testing
Target State
Traditional risk assessmentsdo not assess whether theinformation security strategyand program is aligned withthe business strategy.
20
PwC
Evolving role of IA – Measuring achievement andstrategic alignment
Evaluating Capabilities
Auditing Processes and Controls
Roadmap and Risk Management participation
ValueThe Evolving Role
of Internal Audit
21
PwC
IA Focus Areas
Threat and Vulnerability Management
• How is cyber intelligence integrated into the vulnerabilitymanagement program?
• Patch management and system hardening are highly technical yetthese capabilities should be understood and evaluated
• Evaluation requires a detailed understanding of your ITarchitecture
Common pitfalls
• Security by obscurity is no longer relevant with operationaltechnology
• End of life systems are improperly managed
• Asset management does not support vulnerability management
• Metrics are incomplete or not used at all
22
PwC
IA Focus Areas
Governance and IT Risk Management
• Strong security practices develop from mature capabilities,grounded by documented policies and procedures
• A consistent, metrics driven process to substantiate progress withinformation security initiatives
• Formal IT security risk management to determine how to reactwhen vulnerabilities are detected
Common pitfalls
• Not prioritizing security based on the risk to the organization –where is your sensitive data or valuable assets?
23
PwC
IA can provide value in every one of theseactivities.
4 Assess cybersecurity of third parties and supply chain partners, and ensure theyadhere to your security policies and practices
2Identify your most valuable information assets, and prioritize protection of thishigh-value data
1 Ensure that your cybersecurity strategy is aligned with business objectives and isstrategically funded
3 Understand your adversaries, including their motives, resources, and methods ofattack to help reduce the time from detect to respond
5 Collaborate with others to increase awareness of cybersecurity threats andresponse tactics
24
PwC
For more information on cybersecurity…
www.pwc.com/cybersecurity
• Results of 2015 Global State of InformationSecurity
• Answering you cybersecurity questions; the needcontinued action
• 2013 US State of Cybercrime Survey Whitepaper
• 10Minutes on the stark realities of cybersecurity
• Cybersecurity risk on the board’s agenda
• Cyber Video Series
• A response to the President’s CybersecurityExecutive Order
25
PwC
Key Contacts
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and maysometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. Thiscontent is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
Richard DoroughManaging DirectorFt. Worth, TXrichard.e.dorough@us.pwc.com(817) 296-2835
Ashley ShugartManagerDallas, TXashugart@us.pwc.com(202) 679-5939
Matthew WilsonDirectorDallas, TXmatthew.l.wilson@us.pwc.com(678) 427-1042
top related